Q&A: Veracode CMO Karen Buffo on AI, AppSec, and Why Software Trust Is the Next Frontier

As AI changes the way software is developed, Veracode CMO Karen Buffo sees application security entering a new phase — one where organizations need more than vulnerability detection. They need to know whether the software they are deploying is actually safe. In this Q&A, Buffo discusses AI-powered remediation, open source risk, CISO accountability, and Veracode’s move toward what the company is positioning as “trust authority.”

That shift is happening at a moment when organizations are under growing pressure to move faster while simultaneously managing more risk. AI-generated code, increasing reliance on open-source components, and evolving regulatory scrutiny are all forcing security leaders to rethink how software is developed, validated, and deployed. For Buffo, the challenge is about creating systems that can scale trust alongside innovation.

Q. You’ve mentioned that you run into a lot of former colleagues in your industry. What did that experience in the earlier days of the cybersecurity boom mean for you?

A. I've been in cybersecurity for a long time, and those early years were such a formative part of my career. I grew so much. I had so many different roles — I started in corporate communications, then moved into executive communications, and evolved from there into strategy and business enablement. Getting that breadth of experience across functions really shaped how I think about the work today.

What I loved most was that you really felt like you were contributing — you could see the impact of the work you did. And the relationships I built during that time have stayed with me. I'm still close with so many people I worked with early on. It was very good for my career, and honestly, for the kind of leader I have become.

Q. What makes this time in technology feel so pivotal?

A. Things are moving so fast, it’s hard to keep a pulse on everything. I feel like we’re at a genuine inflection point. Two years ago, I was at RSAC and people were saying AI is a fad. I thought they were mistaken. This is no fad. This is not like XDR, a term that generated buzz before fading from the conversation. This is real. And now it’s more real than ever. It’s hard to even understand the pace at which things are moving. Whether you’re in marketing or any other function, AI is impacting everything we do — everybody’s work, how we get things done. It’s really interesting and fascinating.

Q. How is Veracode thinking about AI from the product side?

A. Veracode is doing a lot with AI. We were first to market with our auto-remediation AI tool, Veracode Fix. Brian Roche, our CEO, saw the writing on the wall even before the AI boom began. The volume of code being developed, the volume of vulnerabilities, the breaches waiting to happen — you needed a way to auto-fix.

We acquired Longbow and evolved that technology into Veracode Fix, bringing the first auto-remediation tool to market. We’re doing a lot more on the AI side of the portfolio, but also helping organizations put the right guardrails in place so they can safely use AI. Developers in many cases are no longer writing code directly. They’re just using an agent. So we’re doing more and more to help secure that code.

Q. Why is trust becoming so important in software security?

A. AppSec is becoming very commoditized, and we know that. Organizations are using AI not just to write code, but to find and fix vulnerabilities. We’re seeing announcements from countless companies saying they have their own version of AI. That’s great, but it introduces a lot more risk because when you rely on AI you don’t know if it’s hallucinating. You don’t know what kind of vulnerabilities are in that AI. And when you’re consuming much open source that compounds the problem because open source is riddled with possible vulnerabilities.

Development teams can’t keep up. You’ve already got this significant tech debt that you can’t solve for, and now you’re creating code at the pace of machine speed. No human can keep up with that. It’s becoming even more important not just to prioritize risk, but to understand and prioritize risk based on your ‘crown jewel’ applications and what has the greatest potential to be exploited. Then you need to find and fix those vulnerabilities and autofix through AI so you can scale. The next thing is trust. How can I trust that software is safe to deploy?

Q. Veracode is aiming to be a “trust authority.” What does that mean?

A. The next version of the platform will function as a trust authority. Basically, it will look at any kind of code you’re going to bring to market and ensure that it is safe to deploy. It’s going to look at every regulation you need to comply with. Are you compliant? Have you followed your internal policies? Have you addressed every applicable requirement? We already do that today. We’re really good at making sure you’re complying with policy. We started 20 years ago with that in mind because people would find vulnerabilities, but they were never linked to policy. That’s foundational to where we started and where we’re headed.

The next step is the control plane. When you’re getting ready to deploy code, it’s going to tell you: yes, you’re safe to deploy. The platform checked everything. You get the green light. Or no, you’re missing these components, and it will block the deployment. Or it may allow for exceptions if the right approvals are in place and there is a timeline associated with it. We’re very much headed toward this trust platform. I think that’s going to be critical, especially with new regulations and CISOs being personally liable.

Q. When buyers are evaluating technology in this environment, what do they need from vendors?

A. Buyers are going to evaluate software more carefully. Budgets aren’t unlimited, and it’s really hard to rip and replace something. You’ve got to be able to prove that what you’re offering is real. That can be through trials. I want to do more with trials and give people the opportunity to really experience the value right out of the box.

You also need very good proof-of-value engagements. Not just demo it, but let’s do a proof-of-value. Let’s take a real use case that you have, prospective customer, and show you your own instance, your own environment, using your data. Let’s prove the platform can do what it says it can do. Then they’re going to want to know what other people are saying.  We’ve been fortunate to receive strong recognition from analyst firms over the years, and those evaluations provide buyers with an independent perspective on how vendors compare in the market. Peer review sites are important too because customers are sharing their own experiences there. Those are the kinds of third-party validation buyers increasingly look for when they're making decisions.

Q. What do you think will separate the cybersecurity companies people trust from the ones they ignore?

A. First and foremost, you have to be the company that truly solves customer problems. It has to be real. It can’t be smoke and mirrors. You have to anticipate what the future needs. We’ve been doing this for 20 years. We’ve seen the evolution. We’ve evolved and continued to be first to market. We moved from AppSec, where we were just finding vulnerabilities, to findings to policy when nobody else did that, to delivering application risk management when people weren’t really thinking about that. Now we’re thinking about the future, where you’re going to need to prove that the software you’re deploying is safe.

Customers may not be thinking that way right now. They’re thinking, how do I get to market the fastest? How do I get my technology out the door? But they may not be thinking, wait a minute, I’m liable – I have to really think this through. We need to educate them. We need to say, you probably haven’t thought about this, but this is your future. Let me advise you on what’s happening right now, why this is so critical, and why we’re here to help you get ahead of it.

As AI accelerates software development and reshapes the cybersecurity landscape, Buffo believes the industry is moving toward a future where proving trust will matter as much as the pace of innovation itself. For Veracode, that means helping organizations move beyond simply finding vulnerabilities and toward understanding whether their software is truly safe to deploy. And for cybersecurity vendors more broadly, it means credibility, transparency, and real-world validation will increasingly separate the companies buyers trust from the ones they walk away from.

At the same time, Buffo believes many organizations are still underestimating how quickly these pressures are converging. As software development accelerates and AI-driven workflows become more common, security teams are being asked to balance speed, compliance, and governance in ways that were unimaginable just a few years ago. That tension, she argues, is exactly why trust, visibility, and provable security controls are becoming foundational requirements rather than differentiators.